// Copyright 2008, Google Inc. // All rights reserved. // // Redistribution and use in source and binary forms, with or without // modification, are permitted provided that the following conditions are // met: // // * Redistributions of source code must retain the above copyright // notice, this list of conditions and the following disclaimer. // * Redistributions in binary form must reproduce the above // copyright notice, this list of conditions and the following disclaimer // in the documentation and/or other materials provided with the // distribution. // * Neither the name of Google Inc. nor the names of its // contributors may be used to endorse or promote products derived from // this software without specific prior written permission. // // THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS // "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT // LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR // A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT // OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, // SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT // LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, // DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY // THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT // (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE // OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. #ifndef SANDBOX_SRC_SANDBOX_POLICY_H__ #define SANDBOX_SRC_SANDBOX_POLICY_H__ #include "base/basictypes.h" #include "sandbox/src/sandbox_types.h" #include "sandbox/src/security_level.h" namespace sandbox { class TargetPolicy { public: // Sets the security level for the target process' two tokens. // This setting is permanent and cannot be changed once the target process is // spawned. // initial: the security level for the initial token. This is the token that // is used by the process from the creation of the process until the moment // the process calls TargetServices::LowerToken() or the process calls // win32's ReverToSelf(). Once this happens the initial token is no longer // available and the lockdown token is in effect. // lockdown: the security level for the token that comes into force after the // process calls TargetServices::LowerToken() or the process calls // ReverToSelf(). See the explanation of each level in the TokenLevel // definition. // Return value: SBOX_ALL_OK if the setting succeeds and false otherwise. // Returns false if the lockdown value is more permissive than the initial // value. // // Important: most of the sandbox-provided security relies on this single // setting. The caller should strive to set the lockdown level as restricted // as possible. virtual ResultCode SetTokenLevel(TokenLevel initial, TokenLevel lockdown) = 0; // Sets the security level of the Job Object to which the target process will // belong. This setting is permanent and cannot be changed once the target // process is spawned. The job controls the global security settings which // can not be specified in the token security profile. // job_level: the security level for the job. See the explanation of each // level in the JobLevel definition. // ui_exceptions: specify what specific rights that are disabled in the // chosen job_level that need to be granted. Use this parameter to avoid // selecting the next permissive job level unless you need all the rights // that are granted in such level. // The exceptions can be specified as a combination of the following // constants: // JOB_OBJECT_UILIMIT_HANDLES : grant access to all user-mode handles. These // include windows, icons, menus and various GDI objects. In addition the // target process can set hooks, and broadcast messages to other processes // that belong to the same desktop. // JOB_OBJECT_UILIMIT_READCLIPBOARD : grant read-only access to the clipboard. // JOB_OBJECT_UILIMIT_WRITECLIPBOARD : grant write access to the clipboard. // JOB_OBJECT_UILIMIT_SYSTEMPARAMETERS : allow changes to the system-wide // parameters as defined by the Win32 call SystemParametersInfo(). // JOB_OBJECT_UILIMIT_DISPLAYSETTINGS : allow programmatic changes to the // display settings. // JOB_OBJECT_UILIMIT_GLOBALATOMS : allow access to the global atoms table. // JOB_OBJECT_UILIMIT_DESKTOP : allow the creation of new desktops. // JOB_OBJECT_UILIMIT_EXITWINDOWS : allow the call to ExitWindows(). // // Return value: SBOX_ALL_OK if the setting succeeds and false otherwise. // // Note: JOB_OBJECT_XXXX constants are defined in winnt.h and documented at // length in: // http://msdn2.microsoft.com/en-us/library/ms684152.aspx // // Note: the recommended level is JOB_RESTRICTED or JOB_LOCKDOWN. virtual ResultCode SetJobLevel(JobLevel job_level, uint32 ui_exceptions) = 0; // Specifies the desktop on which the application is going to run. If the // desktop does not exist, it will be created. virtual ResultCode SetDesktop(const wchar_t* desktop) = 0; // Sets the integrity level of the process in the sandbox. The integrity level // will not take effect before you call LowerToken. User Interface Privilege // Isolation is not affected by this setting and will remain off for the // process in the sandbox. This flag is valid on Vista only, it is silently // ignored on other OSes. If you set the integrity level to a level higher // than your current level, the sandbox will fail to start. virtual ResultCode SetDelayedIntegrityLevel(IntegrityLevel level) = 0; // Sets the integrity level of the process in the sandbox. Both the initial // token and the main token will be affected by this. This is valid only // on Vista. It is silently ignored on other OSes. If you set the integrity // level to a level higher than your current level, the sandbox will fail // to start. virtual ResultCode SetIntegrityLevel(IntegrityLevel level) = 0; // Sets the interceptions to operate in strict mode. By default, interceptions // are performed in "relaxed" mode, where if something inside NTDLL.DLL is // already patched we attempt to intercept it anyway. Setting interceptions // to strict mode means that when we detect that the function is patched we'll // refuse to perform the interception. virtual void SetStrictInterceptions() = 0; // Windows subsystems that can have specific rules. // Note: The process subsystem(SUBSY_PROCESS) does not evaluate the request // exactly like the CreateProcess API does. See the comment at the top of // process_thread_dispatcher.cc for more details. enum SubSystem { SUBSYS_FILES, // Creation and opening of files and pipes. SUBSYS_NAMED_PIPES, // Creation of named pipes. SUBSYS_PROCESS, // Creation of child processes. SUBSYS_REGISTRY, // Creation and opening of registry keys. SUBSYS_SYNC // Creation of named sync objects. }; // Allowable semantics when a rule is matched. enum Semantics { FILES_ALLOW_ANY, // Allows open or create for any kind of access that // the file system supports. FILES_ALLOW_READONLY, // Allows open or create with read access only. FILES_ALLOW_QUERY, // Allows access to query the attributes of a file. FILES_ALLOW_DIR_ANY, // Allows open or create with directory semantics // only. NAMEDPIPES_ALLOW_ANY, // Allows creation of a named pipe. PROCESS_MIN_EXEC, // Allows to create a process with minimal rights // over the resulting process and thread handles. // No other parameters besides the command line are // passed to the child process. PROCESS_ALL_EXEC, // Allows the creation of a process and return fill // access on the returned handles. // This flag can be used only when the main token of // the sandboxed application is at least INTERACTIVE. EVENTS_ALLOW_ANY, // Allows the creation of an event with full access. EVENTS_ALLOW_READONLY, // Allows opening an even with synchronize access. REG_ALLOW_READONLY, // Allows readonly access to a registry key. REG_ALLOW_ANY // Allows read and write access to a registry key. }; // Adds a policy rule effective for processes spawned using this policy. // subsystem: One of the above enumerated windows subsystems. // semantics: One of the above enumerated FileSemantics. // pattern: A specific full path or a full path with wildcard patterns. // The valid wildcards are: // '*' : Matches zero or more character. Only one in series allowed. // '?' : Matches a single character. One or more in series are allowed. // Examples: // "c:\\documents and settings\\vince\\*.dmp" // "c:\\documents and settings\\*\\crashdumps\\*.dmp" // "c:\\temp\\app_log_?????_chrome.txt" virtual ResultCode AddRule(SubSystem subsystem, Semantics semantics, const wchar_t* pattern) = 0; // Increments the reference count of this object. The reference count must // be incremented if this interface is given to another component. virtual void AddRef() = 0; // Decrements the reference count of this object. When the reference count // is zero the object is automatically destroyed. // Indicates that the caller is done with this interface. After calling // release no other method should be called. virtual void Release() = 0; }; } // namespace sandbox #endif // SANDBOX_SRC_SANDBOX_POLICY_H__